snow-flow 10.0.84 → 10.0.86

package/package.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
-  "version": "10.0.84",
+  "version": "10.0.86",
   "name": "snow-flow",
   "description": "Snow-Flow - ServiceNow Multi-Agent Development Framework powered by AI",
   "license": "Elastic-2.0",

package/src/cli/cmd/tui/component/dialog-auth.tsx

@@ -285,7 +285,7 @@ export function DialogAuth() {
       },
     },
     {
-      title: "Enterprise + ServiceNow",
+      title: "Portal + ServiceNow",
       value: "enterprise-combined",
       description: isEnterpriseConfigured() && isServiceNowConfigured() ? "Both connected" : undefined,
       category: "Combined",
@@ -919,7 +919,8 @@ function DialogAuthEnterprise() {
   const toast = useToast()
   const { theme } = useTheme()
 
-  const [step, setStep] = createSignal<"subdomain" | "code" | "verifying">("subdomain")
+  const [step, setStep] = createSignal<"plan-type" | "subdomain" | "code" | "verifying">("plan-type")
+  const [planType, setPlanType] = createSignal<"individual-teams" | "enterprise" | "">("")
   const [subdomain, setSubdomain] = createSignal("")
   const [sessionId, setSessionId] = createSignal("")
   const [authCode, setAuthCode] = createSignal("")
@@ -943,23 +944,50 @@ function DialogAuthEnterprise() {
     } catch {
       // Auth module not available
     }
-    setTimeout(() => subdomainInput?.focus(), 10)
   })
 
   useKeyboard((evt) => {
     if (evt.name === "escape") {
       const currentStep = step()
-      if (currentStep === "subdomain") {
+      if (currentStep === "plan-type") {
         dialog.replace(() => <DialogAuth />)
+      } else if (currentStep === "subdomain") {
+        setStep("plan-type")
+        setPlanType("")
       } else if (currentStep === "code") {
-        setStep("subdomain")
+        if (planType() === "individual-teams") {
+          setStep("plan-type")
+          setPlanType("")
+        } else {
+          setStep("subdomain")
+        }
         setSessionId("")
         setAuthCode("")
         setTimeout(() => subdomainInput?.focus(), 10)
       }
     }
+
+    // Handle 1/2 keypresses for plan type selection
+    if (step() === "plan-type") {
+      if (evt.name === "1") {
+        selectPlanType("individual-teams")
+      } else if (evt.name === "2") {
+        selectPlanType("enterprise")
+      }
+    }
   })
 
+  const selectPlanType = (type: "individual-teams" | "enterprise") => {
+    setPlanType(type)
+    if (type === "individual-teams") {
+      setSubdomain("portal")
+      startDeviceAuth()
+    } else {
+      setStep("subdomain")
+      setTimeout(() => subdomainInput?.focus(), 10)
+    }
+  }
+
   const startDeviceAuth = async () => {
     const sub = subdomain().trim().toLowerCase()
     if (!sub) {
@@ -1244,14 +1272,50 @@ function DialogAuthEnterprise() {
     <box paddingLeft={2} paddingRight={2} gap={1}>
       <box flexDirection="row" justifyContent="space-between">
         <text attributes={TextAttributes.BOLD} fg={theme.text}>
-          Enterprise Portal
+          Snow-Flow Portal
         </text>
         <text fg={theme.textMuted}>esc</text>
       </box>
 
+      <Show when={step() === "plan-type"}>
+        <box gap={1}>
+          <text fg={theme.textMuted}>What type of plan do you have?</text>
+          <box paddingTop={1} gap={1}>
+            <box
+              flexDirection="row"
+              gap={2}
+              borderStyle="single"
+              borderColor={theme.border}
+              paddingLeft={1}
+              paddingRight={1}
+            >
+              <text fg={theme.text}>[1] Individual / Teams</text>
+              <text fg={theme.textMuted}>- Login via portal.snow-flow.dev</text>
+            </box>
+            <box
+              flexDirection="row"
+              gap={2}
+              borderStyle="single"
+              borderColor={theme.border}
+              paddingLeft={1}
+              paddingRight={1}
+            >
+              <text fg={theme.text}>[2] Enterprise</text>
+              <text fg={theme.textMuted}>- Login via your organization subdomain</text>
+            </box>
+          </box>
+          <box paddingTop={1} flexDirection="row">
+            <text fg={theme.text}>1 </text>
+            <text fg={theme.textMuted}>Individual / Teams</text>
+            <text fg={theme.text}>  2 </text>
+            <text fg={theme.textMuted}>Enterprise</text>
+          </box>
+        </box>
+      </Show>
+
       <Show when={step() === "subdomain"}>
         <box gap={1}>
-          <text fg={theme.textMuted}>Enter your subdomain to connect to the Snow-Flow portal</text>
+          <text fg={theme.textMuted}>Enter your organization subdomain (e.g., "acme" for acme.snow-flow.dev)</text>
           <textarea
             ref={(val: TextareaRenderable) => (subdomainInput = val)}
             height={3}
@@ -1266,10 +1330,6 @@ function DialogAuthEnterprise() {
               startDeviceAuth()
             }}
           />
-          <text fg={theme.primary} attributes={TextAttributes.BOLD}>Individual / Teams</text>
-          <text fg={theme.textMuted}>  Enter "portal" → portal.snow-flow.dev</text>
-          <text fg={theme.primary} attributes={TextAttributes.BOLD}>Enterprise</text>
-          <text fg={theme.textMuted}>  Enter your org name → acme.snow-flow.dev</text>
           <box paddingTop={1} flexDirection="row">
             <text fg={theme.text}>enter </text>
             <text fg={theme.textMuted}>continue</text>
@@ -1587,6 +1647,7 @@ function DialogAuthEnterpriseCombined() {
   const { theme } = useTheme()
 
   type CombinedStep =
+    | "plan-type"
     | "subdomain"
     | "code"
     | "verifying-enterprise"
@@ -1600,7 +1661,8 @@ function DialogAuthEnterpriseCombined() {
     | "sn-basic-password"
     | "completing"
 
-  const [step, setStep] = createSignal<CombinedStep>("subdomain")
+  const [step, setStep] = createSignal<CombinedStep>("plan-type")
+  const [planType, setPlanType] = createSignal<"individual-teams" | "enterprise" | "">("")
   const [subdomain, setSubdomain] = createSignal("")
   const [sessionId, setSessionId] = createSignal("")
   const [authCode, setAuthCode] = createSignal("")
@@ -1674,18 +1736,36 @@ function DialogAuthEnterpriseCombined() {
     } catch {
       // Auth module not available
     }
-    setTimeout(() => subdomainInput?.focus(), 10)
   })
 
+  const selectCombinedPlanType = (type: "individual-teams" | "enterprise") => {
+    setPlanType(type)
+    if (type === "individual-teams") {
+      setSubdomain("portal")
+      startDeviceAuth()
+    } else {
+      setStep("subdomain")
+      setTimeout(() => subdomainInput?.focus(), 10)
+    }
+  }
+
   useKeyboard((evt) => {
     const currentStep = step()
 
     // Handle escape key for navigation
     if (evt.name === "escape") {
-      if (currentStep === "subdomain") {
+      if (currentStep === "plan-type") {
         dialog.replace(() => <DialogAuth />)
+      } else if (currentStep === "subdomain") {
+        setStep("plan-type")
+        setPlanType("")
       } else if (currentStep === "code") {
-        setStep("subdomain")
+        if (planType() === "individual-teams") {
+          setStep("plan-type")
+          setPlanType("")
+        } else {
+          setStep("subdomain")
+        }
         setSessionId("")
         setAuthCode("")
         setTimeout(() => subdomainInput?.focus(), 10)
@@ -1712,6 +1792,15 @@ function DialogAuthEnterpriseCombined() {
       }
     }
 
+    // Handle 1/2 keypresses for plan type selection
+    if (currentStep === "plan-type") {
+      if (evt.name === "1") {
+        selectCombinedPlanType("individual-teams")
+      } else if (evt.name === "2") {
+        selectCombinedPlanType("enterprise")
+      }
+    }
+
     // Handle 1/2 keypresses for ServiceNow method selection
     if (currentStep === "sn-method") {
       if (evt.name === "1") {
@@ -2200,11 +2289,48 @@ function DialogAuthEnterpriseCombined() {
     <box paddingLeft={2} paddingRight={2} gap={1}>
       <box flexDirection="row" justifyContent="space-between">
         <text attributes={TextAttributes.BOLD} fg={theme.text}>
-          Enterprise + ServiceNow Setup
+          Portal + ServiceNow Setup
         </text>
         <text fg={theme.textMuted}>esc</text>
       </box>
 
+      {/* Plan type selection */}
+      <Show when={step() === "plan-type"}>
+        <box gap={1}>
+          <text fg={theme.textMuted}>What type of plan do you have?</text>
+          <box paddingTop={1} gap={1}>
+            <box
+              flexDirection="row"
+              gap={2}
+              borderStyle="single"
+              borderColor={theme.border}
+              paddingLeft={1}
+              paddingRight={1}
+            >
+              <text fg={theme.text}>[1] Individual / Teams</text>
+              <text fg={theme.textMuted}>- Login via portal.snow-flow.dev</text>
+            </box>
+            <box
+              flexDirection="row"
+              gap={2}
+              borderStyle="single"
+              borderColor={theme.border}
+              paddingLeft={1}
+              paddingRight={1}
+            >
+              <text fg={theme.text}>[2] Enterprise</text>
+              <text fg={theme.textMuted}>- Login via your organization subdomain</text>
+            </box>
+          </box>
+          <box paddingTop={1} flexDirection="row">
+            <text fg={theme.text}>1 </text>
+            <text fg={theme.textMuted}>Individual / Teams</text>
+            <text fg={theme.text}>  2 </text>
+            <text fg={theme.textMuted}>Enterprise</text>
+          </box>
+        </box>
+      </Show>
+
       {/* Step 1: Enterprise subdomain */}
       <Show when={step() === "subdomain"}>
         <box gap={1}>
@@ -2237,7 +2363,7 @@ function DialogAuthEnterpriseCombined() {
       <Show when={step() === "code"}>
         <box gap={1}>
           <text fg={theme.primary} attributes={TextAttributes.BOLD}>
-            Step 1 of 2: Enterprise Portal
+            Step 1 of 2: Portal Login
           </text>
           <Show when={verificationUrl()}>
             <text fg={theme.text}>Open this URL to authorize this device:</text>

package/src/servicenow/servicenow-mcp-unified/shared/auth.ts

@@ -15,6 +15,8 @@
 import axios, { AxiosInstance } from 'axios';
 import * as fs from 'fs/promises';
 import * as path from 'path';
+import * as crypto from 'node:crypto';
+import * as os from 'node:os';
 import { ServiceNowContext, OAuthTokenResponse, EnterpriseLicense } from './types';
 import { mcpDebug } from '../../shared/mcp-debug.js';
 
@@ -589,13 +591,73 @@ export class ServiceNowAuthManager {
   }
 
   /**
-   * Load token cache from disk
+   * Derive a machine-specific encryption key for token cache
+   */
+  private deriveEncryptionKey(): Buffer {
+    const hostname = os.hostname();
+    let username: string;
+    try {
+      username = os.userInfo().username;
+    } catch {
+      username = process.env.USER || process.env.USERNAME || 'default';
+    }
+    const platform = os.platform();
+    const seed = `snow-flow-token-cache:${hostname}:${username}:${platform}`;
+    return crypto.createHash('sha256').update(seed).digest();
+  }
+
+  /**
+   * Encrypt data with AES-256-GCM
+   */
+  private encrypt(plaintext: string): string {
+    const key = this.deriveEncryptionKey();
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return JSON.stringify({
+      iv: iv.toString('base64'),
+      data: encrypted.toString('base64'),
+      tag: authTag.toString('base64'),
+    });
+  }
+
+  /**
+   * Decrypt data with AES-256-GCM
+   */
+  private decrypt(ciphertext: string): string {
+    const key = this.deriveEncryptionKey();
+    const { iv, data, tag } = JSON.parse(ciphertext);
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, Buffer.from(iv, 'base64'));
+    decipher.setAuthTag(Buffer.from(tag, 'base64'));
+    const decrypted = Buffer.concat([decipher.update(Buffer.from(data, 'base64')), decipher.final()]);
+    return decrypted.toString('utf8');
+  }
+
+  /**
+   * Load token cache from disk (encrypted)
    */
   private async loadTokenCache(): Promise<void> {
     try {
       const cachePath = this.getTokenCachePath();
-      const cacheData = await fs.readFile(cachePath, 'utf-8');
-      const cached: Record<string, TokenCache> = JSON.parse(cacheData);
+      const raw = await fs.readFile(cachePath, 'utf-8');
+
+      let cached: Record<string, TokenCache>;
+
+      // Try decrypting first; fall back to plaintext for migration
+      try {
+        const decrypted = this.decrypt(raw);
+        cached = JSON.parse(decrypted);
+      } catch {
+        // Attempt plaintext parse for backward compatibility
+        try {
+          cached = JSON.parse(raw);
+          mcpDebug('[Auth] Migrating plaintext token cache to encrypted format');
+        } catch {
+          mcpDebug('[Auth] Token cache corrupted, starting fresh');
+          return;
+        }
+      }
 
       // Load tokens into memory cache
       Object.entries(cached).forEach(([key, token]) => {
@@ -605,6 +667,11 @@ export class ServiceNowAuthManager {
         }
       });
 
+      // Re-save as encrypted if we loaded from plaintext (migration)
+      if (this.tokenCache.size > 0) {
+        await this.saveTokenCache();
+      }
+
       mcpDebug('[Auth] Loaded', this.tokenCache.size, 'cached tokens');
     } catch (error: any) {
       // Cache file doesn't exist or is corrupted - not critical
@@ -615,7 +682,7 @@ export class ServiceNowAuthManager {
   }
 
   /**
-   * Save token cache to disk
+   * Save token cache to disk (encrypted, restricted permissions)
    */
   private async saveTokenCache(): Promise<void> {
     try {
@@ -627,12 +694,14 @@ export class ServiceNowAuthManager {
         cacheData[key] = token;
       });
 
-      // Ensure directory exists
-      await fs.mkdir(path.dirname(cachePath), { recursive: true });
+      // Ensure directory exists with restricted permissions
+      const cacheDir = path.dirname(cachePath);
+      await fs.mkdir(cacheDir, { recursive: true, mode: 0o700 });
 
-      // Write cache file
-      await fs.writeFile(cachePath, JSON.stringify(cacheData, null, 2), 'utf-8');
-      mcpDebug('[Auth] Token cache saved');
+      // Encrypt and write cache file with owner-only permissions
+      const encrypted = this.encrypt(JSON.stringify(cacheData));
+      await fs.writeFile(cachePath, encrypted, { encoding: 'utf-8', mode: 0o600 });
+      mcpDebug('[Auth] Token cache saved (encrypted)');
     } catch (error: any) {
       mcpDebug('[Auth] Failed to save cache:', error.message);
     }
@@ -643,7 +712,7 @@ export class ServiceNowAuthManager {
    */
   private getTokenCachePath(): string {
     // Store in user's home directory
-    const homeDir = process.env.HOME || process.env.USERPROFILE || '/tmp';
+    const homeDir = process.env.HOME || process.env.USERPROFILE || os.homedir();
     return path.join(homeDir, '.snow-flow', 'token-cache.json');
   }